I am installation/Upgrading Bladelogic agent and Installing BL Agent 8.5.1 version using BMC provided script, I see in script we have umask set to 022. In our environment setting Umask to 022 is not allowed as it allows and leave World Readable to files.

May I please know the below things ?

1. Why Agent install require umask to be 022 ?

2. If we Install BL agent with 0027 what issues may occur ?

3. Which are the files required world readable if the deployments/Compliance do not happen with root user ?

4. If still Umask 022 required, are there any files/Dir which we can make 644/755 explicitly ?

The rscd.sh only temporarily sets the umask to 022 during the install. some directories the agent uses are world-writeable – transactions, tmp, snapshot, etc. do you see the installer leaving any world-writable files ?

As we are working in Financial Env so customer/Unix Engineering is not happy with World Readable and Execute permission of Directory/Files. They say if any particular number of files required we can run chmod to give 755/644 explicitly on those files directories.

Unix is having concern that in env all files should not be accessible by every user if it's not required. If we run the pkgadd for agent install/upgrade with 0027 will it cause any issues ?

Unix Engineering is saying that Executable available in RSCD agent if they have any issue and if any user run it may crash/cause issue to whole system. This is the reason they are not giving yes to World Readable/Executable for executable scripts/files.

If we deploy with umask 022 are there any set of files which we can keep as 644/755 and rest all will revert to 600. Can you help me to get all the files which requires 644/755 created as part of agent install.

If that’s true are you saying there are no world-executable binaries on this system? including all the os binaries? i’m sorry but their statement makes no sense.

We have not qualified running the rscd w/ different permission sets. you are free to try whatever you like. if that prevents the agent from working properly then you will need to revert the permissions.